Payment cards such as credit cards and debit cards are in widespread use. In some environments, payment cards in the form of magnetic stripe cards prevail in terms of popularity. In other environments, it is more common to use so-called “contactless” payment cards. With contactless payment cards, the payment card account number is stored in an integrated circuit (IC) within the card, and is read by short-range radio communication between the card and the contactless reader component of a point of sale (POS) terminal. With enhancements that have occurred to mobile phones, including smartphones, the capability has been added to perform NFC (near field communication) communications to enable so-called “contactless” payment cards to be digitized into these consumer devices. These mobile devices utilize a secure element (SE) to store the payment card account number and associated data, keys and Personal Identification Number (PIN) to enable the consumer to perform a payment transaction using the NFC short-range radio communications provided by the mobile device and the contactless reader component of a POS terminal.
Still other proposals envision storing information for several payment cards in a single smartphone. According to publicly disclosed concepts, a smartphone may be provided with a small “wallet application” to permit the user to select one of a number of payment card account applets (sometimes referred to as “cardlets”) for use in a current payment transaction, where each of the cardlets is associated with a different payment card account that belongs to the user of the smartphone and each cardlet incorporates the payment card account number and other information corresponding to the respective payment card account. To provide secure storage and processing the cardlets are stored in an IC (integrated circuit); in mobile NFC environments this IC is known as a Secure Element (SE) provided as part of the GSM mobile SIM card or a discrete SE embedded into the handset known as an embedded SE (eSE), or included on a removable devices such as a memory card.
For many payment transactions, the issuer of the payment card account or another entity mandates “two factor” security—that is, the user must not only present a physical credential (e.g., a payment card or payment-enabled mobile device), but also must provide additional information to verify that the user is the person who is authorized to present the credential. The presentation of additional information is sometimes referred to in the payment card industry as a “cardholder verification method”, or “CVM”. A widely used CVM calls for the user to enter a “PIN”, i.e., a “personal identification number”. Often when a payment card (and especially a debit card) is presented to a POS terminal, the user is prompted to enter his/her PIN to satisfy a CVM requirement. There have also been many proposals for CVM requirements involving receipt of biometric information from the user.
It has been widely recognized that the user interface of a smartphone may be the channel by which the user may enter his/her PIN to comply with a CVM requirement. In a case where the smartphone stores several payment cardlets, one possible arrangement may require the user to enter a different PIN depending on which cardlet was selected to be active for the current payment transaction. As a known alternative, a standard shared CVM applet has been proposed to manage PIN entry into the smartphone to satisfy CVM requirements for all of the payment cardlets operable in the payment-enabled smartphone. In this case a single PIN may be used to “unlock” any of the payment cardlets present in the phone. For example, a standard published by “GlobalPlatform” defines a global PIN solution providing a shared CVM service on an integrated circuit card that may be incorporated in a smartphone. However, the present inventors have recognized that there are opportunities to improve upon the degree of flexibility and/or convenience provided by the previously proposed standard CVM smartphone applet.